|
|
ru.linux- RU.LINUX --------------------------------------------------------------------- From : Andrey Ovchinnikov 2:467/70.49 07 Jul 2004 00:53:44 To : Eugene B. Berdnikov Subject : Re: чудеса с маскарадингом -------------------------------------------------------------------------------- In junk Eugene B. Berdnikov <berd@desert.ihep.su> wrote: EBB> Сначала - поискать опечатки в скрипте и привести выдачу iptables -t nat -L EBB> до и после "ручной работы", а также содержимое /proc/net/ip_conntrack. Я понимаю, что чудес на свете не бывает, но ошибку пока найти не могу. Итак: 1. Скрипт собственно брандмауера ============ FIREWALL =============== #!/bin/bash # Internet Firewall start configuration # eth1 is connected to the Internet # eth0 is connected to a private subnet PRIVATE=192.168.2.0/24 LOOP=127.0.0.1 # Delete old iptables rules and temporary block all traffic iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F iptables -F -t nat # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i eth1 -s $LOOP -j DROP iptables -A FORWARD -i eth1 -s $LOOP -j DROP iptables -A INPUT -i eth1 -d $LOOP -j DROP iptables -A FORWARD -i eth1 -d $LOOP -j DROP # Anything coming from Internet should have a real Internet address iptables -A FORWARD -i eth1 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth1 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP # Block outgoing NetBIOS iptables -A FORWARD -p tcp --sport 137:139 -o eth1 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth1 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth1 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth1 -j DROP # Check source address validity on packets going out to Internet iptables -A FORWARD -s ! $PRIVATE -i eth0 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as ssh, www etc. iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --sport 20 -j ACCEPT # Allow incoming OpenVPN packets iptables -A INPUT -p udp --dport 5000 -j ACCEPT # Allow packets from TUN/TAP devices iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnet iptables -A INPUT -i eth0 -j ACCEPT iptables -A FORWARD -i eth0 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o eth1 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Masquerade local subnet iptables -t nat -A POSTROUTING -s $PRIVATE -o eth1 -j MASQUERADE ================================================================== 2. Результат команды iptables -L (маскарадинг не работает) Chain INPUT (policy DROP) target prot opt source destination DROP all -- localhost anywhere DROP all -- anywhere localhost DROP all -- 192.168.0.0/16 anywhere DROP all -- 172.16.0.0/12 anywhere DROP all -- 10.0.0.0/8 anywhere ACCEPT all -- localhost anywhere ACCEPT all -- anywhere localhost ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:5000 ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination DROP all -- localhost anywhere DROP all -- anywhere localhost DROP all -- 192.168.0.0/16 anywhere DROP all -- 172.16.0.0/12 anywhere DROP all -- 10.0.0.0/8 anywhere DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn DROP all -- !192.168.2.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn ACCEPT all -- anywhere anywhere state NEW ================================================================ 3. Результат команды iptables -L -t nat (маскарадинг не работает) Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.2.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ================================================================ 4. Содержимое ip_conntrak (маскарадинг не работает, конец файла) tcp 6 114 TIME_WAIT src=192.168.2.11 dst=192.168.2.1 sport=1037 dport=3128 src=192.168.2.1 dst=192.168.2.11 sport=3128 dport=1037 [ASSURED] use=1 tcp 6 112 TIME_WAIT src=192.168.2.11 dst=192.168.2.1 sport=1033 dport=3128 src=192.168.2.1 dst=192.168.2.11 sport=3128 dport=1033 [ASSURED] use=1 tcp 6 427031 ESTABLISHED src=192.168.2.1 dst=192.168.2.14 sport=3128 dport=1714 [UNREPLIED] src=192.168.2.14 dst=192.168.2.1 sport=1714 dport=3128 use=1 tcp 6 114 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41576 dport=80 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41576 [ASSURED] use=1 tcp 6 119 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41587 dport=80 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41587 [ASSURED] use=1 tcp 6 117 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41584 dport=80 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41584 [ASSURED] use=1 tcp 6 115 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41577 dport=80 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41577 [ASSURED] use=1 ================================================================== 5. Теперь делаю `iptables -F -t nat && iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE` и все начинает работать. Пингую с клиентов несколько произвольных сайтов. ip_conntrak (концовка): tcp 6 114 TIME_WAIT src=192.168.2.14 dst=205.188.250.25 sport=1229 dport=80 src=205.188.250.25 dst=80.140.225.9 sport=80 dport=1229 [ASSURED] use=1 tcp 6 102 TIME_WAIT src=192.168.2.14 dst=192.168.2.1 sport=1174 dport=3128 src=192.168.2.1 dst=192.168.2.14 sport=3128 dport=1174 [ASSURED] use=1 tcp 6 104 TIME_WAIT src=80.140.225.9 dst=64.12.163.136 sport=41618 dport=80 src=64.12.163.136 dst=80.140.225.9 sport=80 dport=41618 [ASSURED] use=1 tcp 6 117 TIME_WAIT src=80.140.225.9 dst=205.188.165.185 sport=41661 dport=80 src=205.188.165.185 dst=80.140.225.9 sport=80 dport=41661 [ASSURED] use=1 tcp 6 106 TIME_WAIT src=80.140.225.9 dst=64.12.163.136 sport=41626 dport=80 src=64.12.163.136 dst=80.140.225.9 sport=80 dport=41626 [ASSURED] use=1 tcp 6 103 TIME_WAIT src=192.168.2.14 dst=192.168.2.1 sport=1179 dport=3128 src=192.168.2.1 dst=192.168.2.14 sport=3128 dport=1179 [ASSURED] use=1 tcp 6 112 TIME_WAIT src=80.140.225.9 dst=64.12.163.136 sport=41654 dport=80 src=64.12.163.136 dst=80.140.225.9 sport=80 dport=41654 [ASSURED] use=1 tcp 6 109 TIME_WAIT src=192.168.2.14 dst=192.168.2.1 sport=1205 dport=3128 src=192.168.2.1 dst=192.168.2.14 sport=3128 dport=1205 [ASSURED] use=1 ======================================================================= iptables -t nat -L: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.2.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ======================================================================= Если нужны полные файлы, то напишите куда слать - вышлю. Буду ОЧЕHЬ рад любым выпрямлениям моих кривых рук ;-) 192.168.2.1 - адрес сервера. -- powered by Saicat Linux 2:467/70.49 --- tin/1.5.16-20030125 ("Bubbles") (UNIX) (Linux/2.4.26 (i686)) * Origin: //Born to run Unix... (2:467/70.49) Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
Архивное /ru.linux/35862c6ba29f9.html, оценка из 5, голосов 10
|